cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
928
Views
5
Helpful
1
Replies

Recovering damaged/non-booting NIM bootrom

tkapela12
Level 1
Level 1

Hello, 

One of our many NIM-4G-LTE-ST modules seems to have developed some invalid flash contents. We suspect this module lost power during an IOS XE upgrade, wherein XE was silently attempting to upgrade NIM flash during initial bootup after reload. Now we know better. We're running isr4300-universalk9.17.01.01.SPA.bin at the moment.

At any rate, here's what we're seeing as the NIM attempts to boot (taken from output logged via 'hw-module session 1/0 ..'):

Microloader - 1.00

Booting from SPI flash

SecureBoot: Verify UPGRADE images
SecureBoot: keys.primary=======0xae0225ab
SecureBoot: keys.backup========0xae0225ab
SecureBoot: Boot image offset =0xd4008000
SecureBoot: vmap_flash_addr====0xd4000040
SecureBoot: vmap.platform_id===0xffffffff
SecureBoot: vmap.base==========0xffffffff
SecureBoot: vmap.num_signed====0xffffffff
SecureBoot: vmap.seg0_base=====0xffffffff
SecureBoot: vmap.seg0_size=====0xffffffff
SecureBoot: vmap.sig_size======0xffffffff
SecureBoot: vmap.sig_value=====0x4003f314
SecureBoot: vmap.size==========0x0000000c
SecureBoot: ***Error: Verification map is bad! rc=0x00000039
SecureBoot: ***Error: verify images failure: 0x00000039
SecureBoot: code signing results:
SecureBoot:   return_code======0x00000039
SecureBoot:   key_index========0x00000000
SecureBoot:   key_type=========0x00000000
SecureBoot:   bootver==========0x00000000
SecureBoot:   signature_addr===0x00000000
SecureBoot:   signature_size===0x00000000
SecureBoot:   reserved=========0x00000000Microloader: Secureboot code verification failed 00000039

Verification fail!!

SecureBoot: Verify GOLDEN images
SecureBoot: keys.primary=======0xae0225ab
SecureBoot: keys.backup========0xae0225ab
SecureBoot: Boot image offset =0xd4308000
SecureBoot: vmap_flash_addr====0xd4300040
SecureBoot: vmap.platform_id===0x80000003
SecureBoot: vmap.base==========0xd4300000
SecureBoot: vmap.num_signed====0x00000003
SecureBoot: vmap.seg0_base=====0x00008000
SecureBoot: vmap.seg0_size=====0x000678fc
SecureBoot: vmap.sig_size======0x00000184
SecureBoot: vmap.sig_value=====0x4003f334
SecureBoot: vmap.size==========0x0000002c
SecureBoot: add image data
SecureBoot: flashload_segment:
SecureBoot:   seg_addr===0xd4308000
SecureBoot:   seg_size===0x000678fc
SecureBoot: flashload_segment:
SecureBoot:   seg_addr===0xd4300400
SecureBoot:   seg_size===0x000038a8
SecureBoot: flashload_segment:
SecureBoot:   seg_addr===0xd4300040
SecureBoot:   seg_size===0x00000030
SecureBoot: add signature envelope without signature, size=0x0000007c
SecureBoot: add signature padding, size=0x00000005
SecureBoot:   return_code===0x00000000
SecureBoot:   key_index=====0x00000002
SecureBoot:   key_type======0x00000002
SecureBoot: Image verified successfully
SecureBoot: code signing results:
SecureBoot:   return_code======0x00000000
SecureBoot:   key_index========0x00000002
SecureBoot:   key_type=========0x00000002
SecureBoot:   bootver==========0x00000000
SecureBoot:   signature_addr===0xd430006c
SecureBoot:   signature_size===0x00000184
SecureBoot:   reserved=========0x00000000

General initialization - Version: 1.0.0

High speed PHY - Version: 1.0

Init F35 board topology
board topology details:
serdes num: 0
serdes speed: 04
serdes type: SGMII0
High speed PHY - Ended Successfully
DDR3 Training Sequence - Ver TIP-1.1.0
DDR3 Training Sequence - Ended Successfully
DDR3 Training Sequence - Start scrubbing
DDR3 Training Sequence - End scrubbing
Microloader: Image checksum verification PASSED

Secure Boot Image:  Golden

  ____  _
/ ___|(_) ___   ___  ___
| |    | |/ __| / __|/ _ \
| |___ | |\__ \| (__| (_) |

\____||_||___/ \___|\___/

         _   _     ____              _
        | | | |   | __ )  ___   ___ | |_
        | | | |___|  _ \ / _ \ / _ \| __|
        | |_| |___| |_) | (_) | (_) | |_

        \___/    |____/ \___/ \___/ \__|

 

** LOADER **

 

U-Boot 2013.01 (Aug 07 2014 - 11:56:10) Cisco version: 0.12

Board: CISCO-F35
SoC:   MV88F6820 Rev 0
       running 1 CPUs
CPU:   ARM Cortex A9 MPCore (Rev 1) LE
       CPU 0
       CPU    @ 1600 [MHz]
       L2     @ 800 [MHz]
       TClock @ 200 [MHz]
       DDR    @ 800 [MHz]
       DDR 16Bit Width, FastPath Memory Access
       DDR ECC Enabled
DRAM:  256 MiB

Map:   Code: 0x0ff9c000:0x0ffe4678
       BSS: 0x0ffefa1c
       Stack: 0x0fa8bf38
       Heap: 0x0fa8c000:0x0ff9c000

SF: Detected M25PX32 with page size 64 KiB, total 4 MiB

*** Warning - bad CRC, using default environment

Board configuration detected:
       SGMII module.
SF: Detected M25PX32 with page size 64 KiB, total 4 MiB
Secure Boot code verifier loaded
Net:   egiga0 [PRIME], egiga1

Hit any key to stop autoboot:  0

BOOTP broadcast 1
Using egiga0 device
TFTP from server 10.100.0.1; our IP address is 10.100.0.2
Filename 'firmware/f35_fw.img'.
Load address: 0x2000000
Loading: *
TFTP error: 'File not found' (1)
Not retrying...
Wrong Image Format for bootm command
ERROR: can't get kernel image!

cisco-uboot>


Ok, so, this boot fails, of course, and eventually uboot (or some watchdog component) automatically restarts the board, and it'll attempt to boot again, fail again, and so on. 

Getting clever, and noting how WORKING NIMs boot...we then issue a command to manually load what would typically be the correct image, which ACTUALLY DOES exist in our XE distribution, like so.

"cisco-uboot> bootp firmware/nim_cwan_fw.img"

...which results in the following:


BOOTP broadcast 1
Using egiga0 device
TFTP from server 10.100.0.1; our IP address is 10.100.0.2
Filename 'firmware/nim_cwan_fw.img'.
Load address: 0x2000000
Loading: #################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
###################################################
6 MiB/s
done
Bytes transferred = 17910254 (11149ee hex)

Executing code verification process...
V_Target program argc=3 argv[1]=33554432, argv[2]=17910254
V_Target program load_addr=33554432 (0x2000000) file_size=17910254 (0x11149ee)
[v_target] ram_hdr_addr = 0x31149ce, v_header = 0xfa8bd50
[v_target] v_header addr = 0xfa8bd50, v_header->vh_magic=0xf4e3d2c1
Error!! Wrong module type (0x4)
Code verification failed

cisco-uboot>

...so, in short, some questions:

a) What in the ever-loving heck is going on here? After scouring the internet and annoying various friends who work at Cisco, I can't turn up any information on what exactly the uboot defaults of "f35_fw.img" are all about, and no amount of twiddling with board jumper settings seems to alter the bootup sequence in any meaningful ways. 

B) Are there any clues as to where we can find some sort of bootable code for this NIM board type, and recover/reflash this unit after a successful boot?

C) Is there some sort of built-in recovery image we can use within the ISR4k? 

Best,

-Tk

1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello @tkapela12 ,

first of all my compliments for your detailed problem description.

 

I think you have done everything it is possible to try to recover this NIM module.

 

Ask for HW replacement RMA. You have tried everything is possible.

Last suggestion :

ask for a maintenance window power off the ISR 4300 and remove the NIM wait a couple of minutes then install it again and then power the ISR 4300 again.

This is to be sure to perform a HW power cycle on the module.

Then try again to load a known good image taken from another ISR4300.

 

 

 

Hope to help

Giuseppe

Review Cisco Networking for a $25 gift card